Previous Section Back to Table of Contents Lords Hansard Home Page

Fourthly, government needs urgently to focus on this mushrooming economic threat, yet the UK Government’s first response to the Science and Technology Committee’s report was deeply disappointing—and, indeed, shockingly inadequate, as almost every noble Lord who has spoken in this debate has observed.

There is a strong case for regulating and licensing ISPs and for placing requirements on them. A fit-for-purpose national agency is needed in the UK to focus exclusively on every kind of online crime. I know of one instance in which the police will not consider investigating a syndicate operating here in the UK until it has stolen more than £500,000 of goods—and one has almost done that. Imagine if the police said that about bank robbers. Britain’s police have not yet made the psychological shift from the physical to the digital world. I am sceptical that the recently announced unit will be remotely fit for purpose or of the required scale to deal with these problems. Moreover, a global and not just national approach is needed to counter a category of crime that is committed overwhelmingly across national frontiers. Here the UK Government could bring international leadership.

In recent days, weeks and months we have seen the calamitous cost to Governments and governance of failing to manage risk in the financial sector. The internet is one of the glories of the age, as I am sure we all agree, with a profound and largely beneficial impact on all our lives. Government needs rapidly to engage with managing the risks arising from the internet’s dark side before a cancer takes hold. As yet, Whitehall, too, has been painfully slow to adjust to new digital realities. Let us hope that the excellent stimulus provided by the Science and Technology Committee eventually bears fruit.

2.17 pm

Lord Methuen: My Lords, I welcome this debate, introduced by the noble Lord, Lord Broers, on the Science and Technology Committee’s original and follow-up reports on internet security and the Government’s responses to these reports. I, too, am disappointed by the generally unenthusiastic response of the Government to the initial report and I am

10 Oct 2008 : Column 472

concerned with their response to the follow-up report. I should say that I was not a member of the committee when the original report was produced.

I share with other speakers concerns about the situation concerning bank fraud and where the responsibilities of the various parties lie. I wonder how many people have counted up how many passwords and the like they have. I did—it amounts to six PIN numbers, five passwords, two account access numbers, two security numbers and various other items. I suspect that this quantity is modest, compared with many people. But for the less able computer and card users, it is horrendous, and it is hardly surprising that people write them down or use family information and names for them and do not change them as frequently as they should. I know that I do not change them as frequently as I could because, if I do, I cannot remember them. Surely it must be possible to devise a better system than this. I am terrified at the possibilities of a key-stroke recorder residing on my computer and me being totally unaware of it. One hopes that one’s anti-virus software picks up things like that.

I shall now raise the international perspective. In June, I attended as a representative of this House the IPAIT conference in Sofia—that is, the International Parliamentarians Association for Information Technology. This was the sixth such conference, earlier ones having been held in Seoul, Bangkok, Rabat, Brasilia and Helsinki last year, which I was also able to attend. The theme of this year's conference was information technology and ethics, which is relevant to this debate today. It was attended by about 120 people from 24 countries worldwide. There are 60 members of IPAIT. The UK is only an observer member.

At the end of the conference, we issued a declaration of IPAIT's ethical aims for the future of information technology, and the internet in particular. The document is too long and verbose to read out now, but I will arrange for it and other supporting documents to be sent to members of both the Science and Technology and Information Committees, the latter committee having sponsored my attendance at the conference. I think these papers are well worth reading. The main proceedings unfortunately are in the form of four DVD discs of the televised process of the conference, and are not practical to distribute.

The declaration from the conference contains some 13 individual clauses calling for internet regulation and standards of ethics; misuse of information; measures against cyberattacks—remember both Estonia and Korea have been subject to these, and of course Georgia was mentioned by an earlier speaker—protection of children; dissemination of ethical conduct for users; requirements for internet service providers to block illegal and harmful information, and require their full co-operation in the investigation of criminal internet activities; the safeguarding of civil rights; privacy and freedom of expression in all forms of communication; and so on. I appreciate that this goes somewhat wider than the reports we are discussing. The main thrust of all this was the need for international agreement on such ethical matters, and international participation in fighting e-crime because of the “wild west” nature of the internet, to quote the noble Lord, Lord Broers.



10 Oct 2008 : Column 473

The keynote speech was by academician Professor Kyril Boyanov of the Bulgarian Academy of Sciences. After reviewing the many benefits of information and communication technology, both to the economy of the nation and the individual citizen, he went on to discuss the benefits that technology could bring to the crisis in representative democracy occurring in many countries where we have very low turn-outs in elections. The benefits of e-voting and e-participation could go some way in providing the citizen with a more meaningful method of connecting with our democratic processes, and obviously are subject to the security issues we have already discussed.

Noble Lords may think that this has little relevance to our debate on internet security, but if you consider e-voting via the internet in particular, as is already being used in Estonia, it becomes highly relevant. This subject was much discussed at the recent EPRI conference in Dublin. EPRI looks at ICT from a parliamentary point of view, looking out to the voter and enabling him to communicate with his MP and see and understand what Parliament is doing.

Professor Boyanov pointed out that the internet is changing our lives, socially and commercially. The level of trust in the internet varies widely, ranging from 3 per cent in Brazil to 65 per cent in Korea. In the UK it is 44 per cent. Again, the level of accessibility by households varies widely throughout the world, from a high of 95 per cent in Korea to 10 per cent in Mexico and Turkey. These are figures for 2006.

With all these benefits comes the downside—the easy and widely spreading use of malicious information, co-ordination of criminal activities and unauthorised access to information, all helped by inadequate legislation on internet crime, both at national and international level. Professor Boyanov goes on to discuss the various types of security threats, of which noble Lords are all too well aware.

In conclusion, I suggest that we need national and international agreements and co-operation in fighting cybercrime in all its forms if we are to maintain public confidence and safe use on the internet.

2.24 pm

Viscount Bridgeman: My Lords, I welcome the noble Lord, Lord Brett, to the first debate to which he will respond from the Dispatch Box. The whole House will be grateful for this well researched report in which the committee makes constructive recommendations. We particularly thank the noble Lord, Lord Broers.

Your Lordships will be well aware that in 2007 nearly two households in three had the internet and 53 per cent of adults purchased goods and services on it. The latest fraud figures published by APACS show that plastic card fraud losses are up by 14 per cent year on year in the first six months of 2008. We all have our pet stories. One sophisticated scam involves inviting, with a very plausible story, a user to part with her PayPal code number. I have no doubt that I am not alone in experiencing a current plague of phishes, supposedly from the major UK clearing banks, designed to obtain clients’ account numbers. However, the noble Lord, Lord Birt, chillingly reminded us that this is

10 Oct 2008 : Column 474

child’s play compared with what we can expect in the near future, and that organised crime is becoming increasingly involved.

The committee recommended a cross-departmental group involving internet security experts to develop a co-ordinated approach to collecting data on internet crime and classifying the offences. We are pleased to note that the Government have acted on this recommendation and I am sure the House will be interested to hear more from the Minister about the role of the new police central e-crime unit, announced two weeks ago, which will work with the National Fraud Reporting Centre and the National Fraud Intelligence Bureau. I hope the Government will also take account of my party's suggestion that there should be an e-crime specialty within the Crown Prosecution Service. I hope that when the Government read this debate they will note particularly the eloquent vision of the noble Lord, Lord Bhattacharyya, regarding the duties and challenges which lie ahead of us in fighting cybercrime.

The committee’s report made the further related point that there was insufficient research in this area and that one or more interdisciplinary research centres needed to be set up. Several noble Lords have made it clear that the Government’s response was inadequate and has been very badly received. However, I am pleased to note the intervention of the two new Ministers, which I hope will rectify the situation.

These Benches have made a number of criticisms of the Government's approach. In your Lordships' debate on 20 March this year, I made the point that in our view,

Indeed, that sentiment has run through this debate. I make no apology for repeating our criticisms here. The National Hi-Tech Crime Unit, which was set up in 2001 in response to the threat of online crime, provided a good link with police forces and business. In early 2006 it was absorbed into SOCA, despite widespread criticism that it would leave a yawning gap between local forces and national policing. In April 2007, ring-fenced funding for computer crime units in individual police forces was cut off. Furthermore, financial fraud can no longer be reported to the police directly. That important point was made by the noble Lord, Lord Broers. It must first be reported to the financial institution concerned, which then decides whether the matter should be reported to the police for further action. He was particularly critical of that. All these issues still very much concern noble Lords on this side of the House. This all emphasises the disconnect between the police and the increasingly electronically sophisticated public.

It is hardly surprising, therefore, that nine out of 10 offences go unreported because the victims believe that the police are unable or unwilling to investigate. This view is reflected by the police, who in January 2007 reported to the Metropolitan Police Authority—I am sure that the noble Lord, Lord Harris, will be familiar with this—as follows:

“There is an issue of under-reporting across the UK. There is an unspoken public perception that e-crime is so pervasive that the police service does not have the capacity to investigate each

10 Oct 2008 : Column 475

individual allegation. The public have reported difficulties in reporting e-crime to the police. Also many organisations may be unaware of their computer being compromised, making it difficult to establish definitive annual financial harm”.

It has been our view for some time that a police national cybercrime unit should be set up, with adequate specialist support. That is why we very much welcome the setting up of the new e-crime unit, which I hope will go a considerable way towards addressing the deficiencies to which I have referred. We would also like to see the industry working towards a common standard, with the establishment of a kitemark. That was a key recommendation of the committee, which again got a very disappointing reaction. I hope that can be rectified.

The noble Lord, Lord Broers, made a point about the responsibility of the banking industry. I have had sight of a letter from Angela Knight, chief executive of the British Bankers’ Association, to my honourable friend James Brokenshire MP, in which she states that under the revised banking code,

That is refreshingly unequivocal, especially in view of the fact that I am assured by my son that a substantial proportion of online banking and credit card fraud is caused by the failure of customers to keep their passwords or PINs secure, for example, by leaving them in the vicinity of the relevant cards. The computer press recently featured articles on the steps that the clearing banks are taking to counteract cybercrime, so we can say that the banking industry is playing a responsible part in the fight. However, I entirely agree with the noble Lord, Lord Broers, that statutory control of the banks in this respect is required and that we cannot rely on the voluntary code.

We must be aware that cybercrime extends beyond fraud. I refer to denial of service, to which the noble Lord, Lord Harris of Haringey, referred, in which an external source hacks into a computer system and swamps it with incoming messages, thus making it impossible for the victim to exercise its proper functions. As the noble Lord said, that was spectacularly used in Russia’s dispute with Estonia and, more recently, during the short Russia-Georgia war. This can clearly be a problem of international proportions, especially when practised, as it clearly was in that recent incident, at government level. Theoretically, it is outwith the scope of this debate, but there can be no reason why this particular scam or operation could not be used just as easily against individuals. Are there any plans to address this potentially very large problem?

I have a number of specific questions, of which I have given notice to the Minister. First, there is the matter of ratification of the code. In their response to the committee’s recommendations, the Government stated that they were implementing changes to the Computer Misuse Act, following which they would proceed with ratification of the Council of Europe Convention on Cybercrime. That was in April, and it is now October. What is the present position, and when will the Government be in a position to proceed with ratification?



10 Oct 2008 : Column 476

Allied to that is the lack of effectiveness of the Computer Misuse Act. A record of an average conviction rate of 15 per annum for computer fraud cases is derisory, and I hope that the Government will address the apparent anomaly that 25 offences under the Computer Misuse Act are not categorised as “serious” under SOCA. The fact that salmon poaching is categorised as “serious” is passing into folklore.

My third point—I emphasise that this is based on hearsay only from within the police service—is that inquiries and action on computer fraud are being hampered by inadequate forensic resources, which has resulted in a backlog of cases. I hope that we can have an assurance from the Minister that this subject is being addressed.

This has been a most interesting and constructive debate. I repeat the thanks from these Benches to the noble Lord, Lord Broers, his committee and staff. I look forward to the Minister’s reply.

2.34 pm

Lord Brett: My Lords, when I was allotted the privilege of responding on behalf of the Government to the distinguished report written by a distinguished group, I admit that I felt some trepidation. After reading the report, the trepidation increased. After hearing the contributions to the debate, the trepidation has continued to increase, but for a variety of reasons. One of them is due to the speed at which the internet develops, as has rightly been said. A number of issues raised in this debate developed after the report—indeed, after government action. That development will continue. Therefore, the ability of the human process—whether it is the legal process or the commercial process—to keep up to speed with changes is a challenge to us all.

The Government welcome the report and this debate. The report comes at a time of growing interest in the safety of individuals and their information on the internet, and is a very valuable contribution to this broad, continuing and, perhaps, endless debate. The Government beg forgiveness—at least I do—if their first response to the report was seen to be, or was thought to have been, insulting in any way. It was never meant to be. I would view this report as being a spur to the Government and a challenge for us to recognise, as a Government and an Administration, the need to protect the public.

It is clear from the take-up of broadband access across the UK, and from the growth in online commerce, that the public to a large degree is comfortable in using the technology and increasingly enjoys the services available. However, the Government are not, and cannot be, complacent about the risks to the public, and have taken legislative and organisational steps to ensure that the public can have confidence in the internet and is protected from harm. Many of the comments in this debate and in the report are requirements that we give force to that statement in terms of legislative and other measures.

The Government’s response to the threat to the safety of the public and business has grown, and will continue to grow, as the use of the internet has risen and continues to rise. The noble Lord, Lord Mitchell, vividly reminded us of that in terms of the speed of

10 Oct 2008 : Column 477

developments. It affects all areas of society. We should seek to increase protection of our population through the development of legislation, the provision of specialist law enforcement bodies and co-operative working within the UK and internationally.

The Government welcome the recognition in the report that the problems of making the internet safe cannot be addressed by government, or by any other group, alone. It is vital that all relevant sectors of society work together to ensure that the internet is as safe as possible and that information is available to the public to empower it to protect itself.

The Government and the agencies for which they are responsible work with a number of different groups to support work on internet security. We are working with the internet crime and disorder partnerships, established through EURIM, which brings together government, Parliament and civil society. Some noble Lords will be familiar with many of the acronyms in this area. In this debate, I have heard many other acronyms used by the internet and the computer industry. When information technology meets the Civil Service, perhaps the slogan might be, “Acronyms rule OK”. Therefore, one should not seek to use acronyms, where possible; but I am afraid that on this occasion there are so many acronyms that it is impossible to do otherwise. The importance of the partnership through EURIM and the collaboration of industry, government, Parliament and civil society is that they will develop a co-ordinated approach to online crime and establish a co-operative regulatory framework for the internet, capable of adapting with the necessary speed and flexibility required in this rapidly changing area.

The challenge set by many noble Lords is to see whether the Government are capable of keeping up the speed and degree of flexibility that we require. In the eyes of the Government, it is one of a number of vital and complementary initiatives that we need to tackle general electronic crime, alongside the law enforcement response provided by SOCA e-crime, the Police Central e-crime Unit and the National Fraud Strategic Authority—three very important bodies.

The Government recently sponsored the Byron review, which considered how children can be protected on the internet and made a number of recommendations, all of which the Government accepted. The key recommendation was that the UK should establish a forum that brings together government, law enforcement, industry and the third sector to look at how the internet can be made as safe as possible for children. On 29 September, the Prime Minister launched the UK Council for Child Internet Safety. I am very pleased to report that there has been a positive response from all sectors and that well over 100 organisations have applied to join the council, showing that there is a broad commitment across society to support safety for children.

The Government strongly support the work of Get Safe Online, which brings together industry and law enforcement to provide safety information to the public and industry. We believe it is right for government to work alongside industry: by working together they will help to ensure that people are kept safe and are empowered to stay safe online. Additionally, officials

10 Oct 2008 : Column 478

from the Department for Business, Enterprise and Regulatory Reform are committed to working with representatives from the Internet Services Providers’ Association to achieve this. We hope that over the coming months we will see a serious elevation of the debate on the clear and consistent role that industry can take to demonstrate the protection it is offering, with advice on how people can protect themselves online.

In that context, there is nothing like a personal interest to bring about concentration on a piece of legislation. This morning, I received a letter from my bank telling me that in the course of an hour someone had attempted to use my details to purchase about £1,200-worth of goods in Venezuela. The impressive thing about that is that fortunately the bank refused to accept any of the transactions and has now written to me saying that it suspects fraud. Nothing like this has happened to me before, and that incident demonstrates the risk but also the comfort that can be gained from efficient and effective protection—in this case, from my bank.

Earlier this month, the Government brought into force changes to the Computer Misuse Act 1990 that increase the maximum penalty for the Section 1 offence of unauthorised access to computer material to two years to better reflect the seriousness of such offences. The changes also ensure that the offence is extraditable, which, in the international context, is very important. Similarly, we have increased the maximum penalty for the Section 3 offence of unauthorised modification of computer material to 10 years. We have broadened the definition of the Section 3 offence to clarify that all means of interference with a computer system are criminalised, and in particular to ensure that adequate provision is made to criminalise all forms of denial of service attacks—a matter raised by several noble Lords—so that they can be better dealt with. We have also created a new offence of making, adapting or supplying articles for use in computer misuse offences to discourage the market in the production and distribution of hacking tools. We believe that these changes have ensured that the legal framework to tackle offences on the internet is robust and relevant.

In 2006, the Government set up the Child Exploitation and Online Protection Centre, or CEOP, to protect children from those who would seek to harm them online. CEOP has grown into a world leader and has had remarkable success in rescuing children, arresting offenders and building relationships with law enforcement in the UK and overseas. CEOP has also developed a widespread educational programme for children and parents, which allows children to understand the risks on the internet and to protect themselves from harm.


Next Section Back to Table of Contents Lords Hansard Home Page